doc: document jailer caveat when using --parent-cgroup

Document the issue in #4287 so customers are aware of it.

We will continue working on providing a resolution for it.

Signed-off-by: Pablo Barbáchano <[email protected]>

Author: pb8o

CHANGELOG.md

@@ -2,6 +2,13 @@
 
 ## [Unreleased]
 
+### Added
+
+- [#4287](https://github.com/firecracker-microvm/firecracker/issues/4287)
+  Document a caveat to the jailer docs when using the `--parent-cgroup` option,
+  which results in it being ignored by the jailer. Refer to the [jailer
+  documentation](./docs/jailer.md#caveats) for a workaround.
+
 ### Changed
 
 - [#4191](https://github.com/firecracker-microvm/firecracker/pull/4191):

docs/jailer.md

@@ -286,3 +286,8 @@ Note: default value for `<api-sock>` is `/run/firecracker.socket`.
 - If all the cgroup controllers are bunched up on a single mount point using
   the "all" option, our current program logic will complain it cannot detect
   individual controller mount points.
+
+- [#4287](https://github.com/firecracker-microvm/firecracker/issues/4287) When
+  starting a jailer with `--parent-cgroup` specified but no cgroup flags
+  specified, then the rules in the parent cgroup folder are ignored. To
+  workaround, use a dummy cgroup parameter like `--cgroup=memory.max=max`.